We have multiple branches and one HQ. In all sites we have one Internet link (WAN1) and one cellular link to a private APN (backup). Branches use One Core routers with no speedfusion license. A PepVPN tunnel is created over the WAN link (and fail over to the cellular link) between branches and the HQ.
The WAN link health check is configured on branch sites to check on HQ internet link. If this link goes down, branches can no more access the Internet. Can we force internet traffic to go through the WAN link even if the health check is down?
This configuration is not typical. It will cause the problem you are experiencing. Is there a reason you chose that configuration? The WAN health check on the branch sites would typically be configured to test some public internet source. A ping to your ISP’s gateway, a DNS test, etc.
If you change all of the WAN health checks, then if the HQ internet goes down, the internet at the branch sites will still work.
Pep VPN has its own health check unrelated to the WAN health check. The frequency of the Pep VPN health check is a setting on the Pep VPN setup page. You may have been confusing Pep VPN health check with WAN health check.
2 Likes
If I change the health-check setting as you’re saying, will the branch router try to connect to the HQ router over the cellular link (assuming the HQ Internet link is down) even if the branch Internet link is OK and the cellular link is in Priority 2 in the PepVPN profile? The cellular network is private.
The Branches have internet WAN links so the healthcheck should be to see if internet access is available - not if your head office internet link is available.
Use DNS lookup or http lookup as the healthcheck at the branch offices for the internet WAN.
Yes. SF priority is for VPN traffic, WAN priority is for internet / WAN traffic.
1 Like
What about if we have PepVPN with no Speedfusion? This is the case I have with the One Core branch device. The cellular WAN appears as ‘cold standby’ and when the Internet link is down at the HQ, the branch did not try to reach the HQ over the cellular link. Do we have a workaround for this?
Omat
Ah yes I see the problem.
You would need speedfusion licensing on your branch offices to do what you want here in the official way.
With SF hot-failover you could have the cellular in hot standby and then Speedfusion will detect when the HQ link is down and failover to the private WAN at HQ (via cellular) whilst your users can still use the internet on the branch wired connections.
Or you set healthcheck on branch wired wan to ping the HQ link and accept lack of internet access when HQ link fails.
Or another hack would be to add a USB Ethernet dongle to the balance cores in the branches. Then have wired WAN and cellular for VPN with wired WAN health check configured to test HQ WAN with ping, and have an outbound policy for internet access that is priority with Wired WAN 1st and usb WAN 2nd.
That way when WAN1 is marked as unhealthy (because HQ WAN ping failed) internet access happens over USB ethernet and VPN is sent via cellular.
1 Like